New York Becomes First State to Propose Virtual Currency Regulations

by Davis Wright Tremaine LLP
Contact

On July 17, 2014, the New York State Department of Financial Services (DFS) became the first state agency to release proposed regulations specifically governing the crypto-currency industry. The proposed regulations were published in the New York State Register on July 23, 2014, initiating a 45-day public comment period under the New York State Administrative Procedures Act (SAPA). Following on the Financial Crimes Enforcement Network’s (“FinCEN”) March 20134 Guidance on virtual currency, numerous states have issued virtual-related advisories (TX), clarifying statements (WA), and consumer warnings (HI). However, none except New York have proposed new regulations for virtual currency businesses. Numerous states have quietly granted money transmitter licenses to virtual currency companies during the past year. The new regulatory mechanism is colloquially referred to as a “BitLicense,” in reference to the first crypto-currency system, Bitcoin. After the 45-day public comment period, the proposed “BitLicense” regulations will be subject to additional review and revision based on feedback received during the public comment period. Rather than adapt New York’s existing financial regulations, including state money transmitter laws, to fit constantly evolving business models, New York opted to craft a set of rules specific to crypto-currencies.

The proposed regulations are in numerous ways more burdensome than those imposed on traditional money services businesses. Of note, the proposed rules do not contain an exemption analogous to the “agent of a payee” exemption under New York money transmitter law that permits certain fiat currency payment processors and bill payment vendors to avoid licensure. In addition, the regulations impose minimum capital requirements above and beyond those required of money transmitters, and record keeping requirements under the proposed regulations are far more exigent, requiring licensees that process virtual currency payments to record, among other things, the full name and physical address of the sender. While some of the requirements appear intended to protect consumers from the risks inherent with doing business with inexperienced companies and untested business models, others, if enacted, appear to require virtual currency businesses to fundamentally alter the way they process virtual currency transactions. This latter aspect sets the stage for a direct challenge by NY regulators to the design of most virtual currency systems – the pseudonymous nature of transactions. The proposed rules signal strongly to virtual currency companies that regulators view with great suspicion one of the core innovations embodied in cryptographic payment platforms: the ability of a consumer to conduct a cash-like transaction over the Internet without being required to share financial information with a third party.

“Virtual Currency” Defined

The DFS proposal broadly defines “virtual currency” as “any type of digital unit that is used as a medium of exchange or a form of digitally stored value or that is incorporated into payment system technology.” This includes any digital unit of exchange that may be created or obtained by computing or manufacturing effort, regardless of whether it has a centralized or decentralized repository or administrator. Virtual currency does not include, however, digital units used solely within online gaming platforms with no market or application outside of those platforms, nor does it include digital units used exclusively as part of customer affinity or rewards programs. This closely parallels FinCEN’s inquiry into whether or not a currency is “convertible” as the primary factor in deciding whether to apply additional regulatory scrutiny.

Who Must Be Licensed?

Any entity engaged in “virtual currency business activity” must obtain a BitLicense, which involves the following types of transactions:

  • Receiving or transmitting virtual currency (except when utilized by merchants and consumers solely for the purchase or sale of goods or services)
  • Securing, storing, holding, or maintaining custody or control of virtual currency on behalf of others
  • Buying and selling virtual currency as a customer business
  • Performing “retail conversion services”, including the conversion or exchange of fiat currency (government-issued currency) or other value into virtual currency, the conversion or exchange of virtual currency into fiat currency or other value, or the conversion or exchange of one form of virtual currency into another form of virtual currency
  • Controlling, administering, or issuing a virtual currency

As referenced above, persons who send and receive virtual currency solely in connection with the purchase or sale of goods and services (i.e., consumers directly paying merchants with virtual currency in exchange for goods or services) as well as entities that are already chartered under the New York Banking Law to conduct exchange services and who are approved by DFS to engage in virtual currency business activity need not obtain a BitLicense.

License Requirements

The application process is more rigorous than that for a money transmitter license. In addition to the information required of applicants for a money transmitter license, the proposed rules require the following:

  • A list of, and detailed biographical information for, each applicant, director, principal officer, principal stockholder, and principal beneficiary of the applicant, including the individual’s name, physical and mailing addresses, information and documentation regarding their personal history, experience, and qualification, accompanied by a form of authority, executed by the individual to release to the DFS
  • A background check prepared by an independent investigative agency “acceptable to the superintendent” for individual applicant, principal officer, principal stockholder, and principal beneficiary of the applicant
  • A complete set of fingerprints and portrait-style photographs for each applicant, principal officer, principal stockholder, and principal beneficiary of the applicant
  • An organizational chart of the applicant and its management structure
  • A current financial statement for each applicant, principal officer, principal stockholder, and principal beneficiary of the applicant
  • A description of the proposed, current and historical business of the applicant
  • Details of all banking arrangements
  • All written company policies and procedures
  • An affidavit describing any administrative, civil, or criminal action, litigation, or proceeding before any governmental agency, court or arbitration panel, and any existing, pending, or threatened action, litigation or proceeding against the applicant or its directors, principal officers, principal stockholders, and principal beneficiaries
  • Any insurance policies maintained for the benefit of the applicant, its directors or officers, or its customers
  • An explanation of methodologies used to calculate the value of the virtual currency in fiat currency

The DFS has 90 days to approve or deny every application, although the superintendent has discretion to extend the approval timeframe.

Capitalization

If a BitLicense is issued, in addition to the required surety bond (see below), a license holder must also maintain sufficient capital “to ensure the financial integrity of the licensee and its ongoing operations.” The superintendent will use the following to determine the appropriate level of capitalization:

  • The composition of the licensee’s total assets, including the position, size, liquidity, risk exposure, and price volatility of each type of asset
  • The composition of the licensee’s total liabilities, including the size and repayment timing of each type of liability
  • The actual and expected volume of the licensee’s virtual currency business activity
  • Whether the licensee is already licensed or regulated by the DFS
  • The amount of leverage employed by the licensee
  • The liquidity position of the licensee
  • The financial protection that the licensee provides to its customers through a trust account or a bond

Permissible Investments/Surety Bond

All earnings and profits may only be invested in the following high-quality, investment-grade permissible investments with maturities of up to one year and denominated in United States dollars:

  • Certificates of deposits issued by federally or state regulated financial institutions
  • Money market funds
  • State or municipal bonds
  • United States government securities; or
  • United States government agency securities

The proposed rules also require each licensee to hold virtual currency of the same type and amount as any virtual currency owed or obligated to a third party. Licensees are also prohibited from selling, transferring, assigning, lending, pledging, or otherwise encumbering assets, including virtual currency, stored on behalf of another person. Each licensee must also maintain a bond or trust account in United States dollars for the benefit of its customers in form and amount acceptable to the DFS (at present, the minimum bond amount required for money transmitter licensees is $500,000.00, and we presume the BitLicense minimum bond amount will similar).

Record keeping

The proposed rules also require the maintenance of extensive record keeping, including the following:

  • For each transaction, the amount, date, and precise time of the transaction, any payment instructions, the total amount of fees and charges received and paid to, by, or on behalf of the licensee, and the names, account numbers, and physical address of the parties to the transaction
  • A general ledger containing all assets, liabilities, capital, income, expense accounts, and profit and loss accounts
  • Bank statements and bank reconciliation records
  • Any statements or valuations sent or provided to customers or counterparties
  • Records or minutes of meeting of the board of directors or an equivalent governing body
  • Records demonstrating compliance with state and federal anti-money laundering laws and
  • Communications and documentation related to investigations of customer complaints and transaction error resolution or facts giving rise to possible violation of the law

Waiver of 4th Amendment rights/Examinations

The proposed rules would require the licensee to waive any rights under Article I, § 12 of the New York State Constitution and the Fourth Amendment to the United States Constitution, and to consent to the search of all facilities, books, records, documents or other information maintained by the licensee or its affiliates, wherever the information may be located. Each licensee would also be required to submit to a thorough examination by the DFS not less than once every two years, to submit to the DFS quarterly financial statements within 45 days of the completion of each fiscal quarter, and to submit to the DFS annual audited financial statements within 120 days of the completion of each fiscal year.

Anti-money laundering (“AML”) program

Each licensee is required to develop and implement a complex AML program. As part of the program, among other things, each licensee must maintain the following information for all transactions involving the payment, receipt, exchange or conversion, purchase, sale, transfer, or transmission of virtual currency: the identity and physical addresses of the parties involved; the amount or value of the transaction, including in what denomination purchased, sold, or transferred, and the method of payment; the date the transaction was initiated and completed, and a description of the transaction.

  • Verification of accountholders: Licensees must, at a minimum, when opening accounts for customers, verify their identity, maintain records of the information used to verify such identity, including name, physical address, and other identifying information, and check customers against the Specially Designated Nationals (“SDNs”) list maintained by the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”). Enhanced due diligence may be required based on additional factors, such as for high-risk customers, high-volume accounts, or accounts on which a suspicious activity report has been filed. Licensees are also subject to enhanced due diligence requirements for accounts involving foreign entities and a prohibition on accounts with foreign shell entities.
  • Reporting of suspected fraud and illicit activity: Each licensee shall monitor for transactions that might signify money laundering, tax evasion, or other illegal or criminal activity and notify DFS immediately upon detection of such a transaction. When a licensee is involved in a transaction or series of transactions for the receipt, exchange or conversion, purchase, sale, transfer, or transmission of virtual currency in an aggregate amount exceeding the United States dollar value of $10,000 in one day, by one person, the licensee shall also notify DFS within 24 hours.

Cyber security program

Each licensee must maintain a cyber-security program designed to perform a set of five core functions, including:

  • Identifying internal and external cyber risks by, at a minimum, identifying the information stored on the licensee’s systems, the sensitivity of such information, and how and by whom the information can be accessed
  • Protect the licensee’s electronic systems, and the information stored on those systems, from unauthorized access, use, or other malicious acts through the use of defensive infrastructure and the implementation of policies and procedures
  • Detect system intrusions, data breaches, unauthorized access to systems or information, malware and other cyber security events
  • Respond to detected cyber security events to mitigate any negative effects; and
  • Recover from any breaches, disruptions, or unauthorized use of systems and restore normal operations and services

Each licensee much also implement a written cyber security policy setting forth the licensee’s policies and procedures for the protection of the electronic systems and customer and counterparty data stored on those systems, which much be reviewed by the licensee’s board of directors or governing body at least annually. The cyber security policy must address the following areas:

  • Information security
  • Data governance and classification
  • Access controls
  • Business continuity and disaster recovery planning and resources
  • Capacity and performance planning
  • Systems operations and availability concerns
  • Systems and network security
  • Systems and application development and quality assurance
  • Physical security and environmental controls
  • Customer data privacy
  • Vendor and third-party service provider management
  • Monitoring and implementing changes to core protocols not directly controlled by the licensee, and
  • Incident response

The proposed rule also requires each licensee to designate a qualified employee to serve as the licensee’s Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the licensee’s cyber security program and enforcing its cyber security policy. One of the responsibilities of the CISO will be to submit to DFS, at least annually, a report assessing the availability, functionality and integrity of the licensee’s electronic systems, identifying relevant cyber risks to the licensee, assessing the licensee’s cyber security program, and proposing steps for the redress of any inadequacies. The cyber security program will also be required to include the following:

  • Penetration testing of its electronic systems, at least annually, and vulnerability assessments of those systems at least quarterly
  • Audit trail systems that
    • Track and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting;
    • Protect the integrity of data stored and maintained as part of the audit trail from alteration or tampering;
    • Protect the integrity of hardware from alteration or tampering, including by limiting access by permissions to hardware, enclosing hardware in locked cages, and maintaining logs of physical access to hardware that allows for event reconstruction;
    • Log system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an unauthorized user, and all system administrator functions performed on the systems; and
    • Maintain records produced as part of the audit trail for a period of ten years

The cyber security program is also required to have adequate cyber security personnel to carry out all the necessary cyber security functions, including obtaining necessary training, and taking steps to stay abreast of changing cyber security threats and countermeasures.

Business continuity and disaster recovery plan

Each licensee is required under the proposed new role to establish and maintain a written business continuity and disaster recovery (BCDR) plan. The BCDR plan must include the following:

  • Identification of documents, data, facilities, infrastructure, personnel, and competencies essential to the continued operations of the licensee’s business
  • Identification of the supervisory personnel responsible for implementing each aspect of the BCDR plan
  • A plan to communicate with essential persons in the event of an emergency or other disruption to the operations of the licensee, including employees, counterparties, regulatory authorities, data and communication providers, disaster recovery specialists, and any other persons essential to the recovery of documentation and data and the resumption of operations
  • Procedures for the maintenance of back-up facilities, systems, and infrastructure as well as alternative staffing and other resources to enable the timely recovery of data and documentation and to resume operations as soon as reasonably possible
  • Procedures for the back-up or copying, with sufficient frequency, of documents and data essential to the operations of the licensee and storing of the information off-site; and
  • Identification of third parties who are necessary to the continued operations of the licensee’s business

As referenced above, the proposed regulations were published in the New York State Register on July 23, 2014, initiating a 45-day public comment period under the New York State Administrative Procedures Act (SAPA). Should you have insight or opinion to offer to the DFS, submit your comments pursuant to the SAPA by Sept.5, 2014.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!